[c-nsp] 3845 and urlfilter with websense

Mike Loether mike at azloether.com
Thu Sep 1 22:20:37 EDT 2011


Is there a reason you are using URL filter and not wccp?  

Not if it will make a difference for CPU but it could be worth a try.

Mike

Sent from my iPhone

On Sep 1, 2011, at 12:47 PM, Roman Serbski <mefystofel at gmail.com> wrote:

> Hello list-
> 
> I appreciate your help with the following two questions.
> 
> Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version
> 12.4(25b), RELEASE SOFTWARE (fc1)
> Cisco 3845 (revision 1.0) with 1008640K/39936K bytes of memory.
> 2 Gigabit Ethernet interfaces
> 1 Compression AIM
> 1 Virtual Private Network (VPN) Module
> DRAM configuration is 64 bits wide with parity enabled.
> 479K bytes of NVRAM.
> 250368K bytes of ATA System CompactFlash (Read/Write)
> 
> We're using websense to filter http traffic.  Here is the relevant
> config on 3845:
> 
> !
> ip inspect name wbsns http java-list 51 urlfilter timeout 30
> ip urlfilter allow-mode on
> ip urlfilter cache 50
> ip urlfilter server vendor websense 192.168.100.33
> !
> interface GigabitEthernet0/1
> description -=INTERNAL=-
> ip address x.x.x.x x.x.x.x
> ip virtual-reassembly
> ip inspect wbsns in
> duplex full
> speed 100
> media-type rj45
> standby 3 ip x.x.x.x
> standby 3 priority 115
> standby 3 preempt
> standby 3 track GigabitEthernet0/0
> !
> access-list 51 permit any
> !
> 
> With ~50Mbps load the CPU load jumps to 33-35% and we start
> experiencing issues with the browsing.  If I disable 'ip inspect wbsns
> in' the CPU load reduces to 5-7% and everything is back to normal.
> 
> Is 33-35% CPU load normal for 3845 handling 50Mbps and urlfilter
> configured?  I googled for urlfilter with websense examples and wasn't
> able to spot anything wrong in my config. Do you think 3845 should be
> able to handle such load (it doesn't do much in our case: no VPN, no
> NAT, a couple of static routes and HSRP on both interfaces)?
> 
> In my attempt to reduce CPU load I configured 'ip urlfilter cache',
> however I don't see it being used -- 'sh ip urlfilter cache' is always
> empty. Are there any conditions that trigger urlfilter cache
> activation?
> 
> Maximum number of cache entries: 50
> Number of entries cached: 0
> --------------------------------------------------------
>    IP address        Age         Time since last hit
>                   (In seconds)     (In seconds)
> --------------------------------------------------------
> 
> Many thanks for your time.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list